Exemplo n.º 1
0
func configure(logger lager.Logger) (*ssh.ServerConfig, error) {
	cf_http.Initialize(*communicationTimeout)

	if *diegoAPIURL == "" {
		err := errors.New("diegoAPIURL is required")
		logger.Fatal("diego-api-url-required", err)
	}

	url, err := url.Parse(*diegoAPIURL)
	if err != nil {
		logger.Fatal("failed-to-parse-diego-api-url", err)
	}

	_, err = url.Parse(*ccAPIURL)
	if *ccAPIURL != "" && err != nil {
		logger.Fatal("failed-to-parse-cc-api-url", err)
	}

	var diegoCreds string
	if url.User != nil {
		diegoCreds = url.User.String()
	}

	receptorClient := receptor.NewClient(*diegoAPIURL)

	authenticatorMap := map[string]authenticators.PasswordAuthenticator{}

	if *enableDiegoAuth {
		diegoAuthenticator := authenticators.NewDiegoProxyAuthenticator(logger, receptorClient, []byte(diegoCreds))
		authenticatorMap[diegoAuthenticator.Realm()] = diegoAuthenticator
	}

	if *ccAPIURL != "" && *enableCFAuth {
		ccClient := cf_http.NewClient()
		cfAuthenticator := authenticators.NewCFAuthenticator(logger, ccClient, *ccAPIURL, receptorClient)
		authenticatorMap[cfAuthenticator.Realm()] = cfAuthenticator
	}

	authenticator := authenticators.NewCompositeAuthenticator(authenticatorMap)

	sshConfig := &ssh.ServerConfig{
		PasswordCallback: authenticator.Authenticate,
		AuthLogCallback: func(cmd ssh.ConnMetadata, method string, err error) {
			logger.Error("authentication-failed", err, lager.Data{"user": cmd.User()})
		},
	}

	if *hostKey == "" {
		err := errors.New("hostKey is required")
		logger.Fatal("host-key-required", err)
	}

	key, err := parsePrivateKey(logger, *hostKey)
	if err != nil {
		logger.Fatal("failed-to-parse-host-key", err)
	}

	sshConfig.AddHostKey(key)

	return sshConfig, err
}
		fakeCC = ghttp.NewServer()
		ccURL = fakeCC.URL()

		fakeUAA = ghttp.NewServer()
		u, err := url.Parse(fakeUAA.URL())
		Expect(err).NotTo(HaveOccurred())
		uaaUsername = "******"
		uaaPassword = "******"^&'"

		u.Path = "/oauth/token"
		uaaTokenURL = u.String()
	})

	JustBeforeEach(func() {
		authenticator = authenticators.NewCFAuthenticator(logger, httpClient, ccURL, uaaTokenURL, uaaUsername, uaaPassword, permissionsBuilder)
		permissions, authenErr = authenticator.Authenticate(metadata, password)
	})

	Describe("UserRegexp", func() {
		var regexp *regexp.Regexp

		BeforeEach(func() {
			regexp = authenticator.UserRegexp()
		})

		It("matches diego patterns", func() {
			Expect(regexp.MatchString("cf:guid/0")).To(BeTrue())
			Expect(regexp.MatchString("cf:123-abc-def/00")).To(BeTrue())
			Expect(regexp.MatchString("cf:guid/99")).To(BeTrue())
		})
Exemplo n.º 3
0
func configureProxy(logger lager.Logger) (*ssh.ServerConfig, error) {
	if *bbsAddress == "" {
		err := errors.New("bbsAddress is required")
		logger.Fatal("bbs-address-required", err)
	}

	url, err := url.Parse(*bbsAddress)
	if err != nil {
		logger.Fatal("failed-to-parse-bbs-address", err)
	}

	bbsClient := initializeBBSClient(logger)
	permissionsBuilder := authenticators.NewPermissionsBuiler(bbsClient)

	authens := []authenticators.PasswordAuthenticator{}

	if *enableDiegoAuth {
		diegoAuthenticator := authenticators.NewDiegoProxyAuthenticator(logger, []byte(*diegoCredentials), permissionsBuilder)
		authens = append(authens, diegoAuthenticator)
	}

	if *enableCFAuth {
		if *ccAPIURL == "" {
			return nil, errors.New("ccAPIURL is required for Cloud Foundry authentication")
		}

		_, err = url.Parse(*ccAPIURL)
		if *ccAPIURL != "" && err != nil {
			return nil, err
		}

		if *uaaPassword == "" {
			return nil, errors.New("UAA password is required for Cloud Foundry authentication")
		}

		if *uaaUsername == "" {
			return nil, errors.New("UAA username is required for Cloud Foundry authentication")
		}

		if *uaaTokenURL == "" {
			return nil, errors.New("uaaTokenURL is required for Cloud Foundry authentication")
		}

		_, err = url.Parse(*uaaTokenURL)
		if *uaaTokenURL != "" && err != nil {
			return nil, err
		}

		client := NewHttpClient()
		cfAuthenticator := authenticators.NewCFAuthenticator(
			logger,
			client,
			*ccAPIURL,
			*uaaTokenURL,
			*uaaUsername,
			*uaaPassword,
			permissionsBuilder,
		)
		authens = append(authens, cfAuthenticator)
	}

	authenticator := authenticators.NewCompositeAuthenticator(authens...)

	sshConfig := &ssh.ServerConfig{
		PasswordCallback: authenticator.Authenticate,
		AuthLogCallback: func(cmd ssh.ConnMetadata, method string, err error) {
			logger.Error("authentication-failed", err, lager.Data{"user": cmd.User()})
		},
	}

	if *hostKey == "" {
		err := errors.New("hostKey is required")
		logger.Fatal("host-key-required", err)
	}

	key, err := parsePrivateKey(logger, *hostKey)
	if err != nil {
		logger.Fatal("failed-to-parse-host-key", err)
	}

	sshConfig.AddHostKey(key)

	return sshConfig, err
}
Exemplo n.º 4
0
		metadata = &fake_ssh.FakeConnMetadata{}

		fakeCC = ghttp.NewServer()
		ccURL = fakeCC.URL()

		fakeUAA = ghttp.NewServer()
		u, err := url.Parse(fakeUAA.URL())
		Expect(err).NotTo(HaveOccurred())

		u.User = url.UserPassword("diego-ssh", "diego-ssh-secret")
		u.Path = "/oauth/token"
		uaaTokenURL = u.String()
	})

	JustBeforeEach(func() {
		authenticator = authenticators.NewCFAuthenticator(logger, httpClient, ccURL, uaaTokenURL, permissionsBuilder)
		permissions, authenErr = authenticator.Authenticate(metadata, password)
	})

	Describe("UserRegexp", func() {
		var regexp *regexp.Regexp

		BeforeEach(func() {
			regexp = authenticator.UserRegexp()
		})

		It("matches diego patterns", func() {
			Expect(regexp.MatchString("cf:guid/0")).To(BeTrue())
			Expect(regexp.MatchString("cf:123-abc-def/00")).To(BeTrue())
			Expect(regexp.MatchString("cf:guid/99")).To(BeTrue())
		})
Exemplo n.º 5
0
			actualLRPResponse = receptor.ActualLRPResponse{
				ProcessGuid:  "app-guid-app-version",
				Index:        0,
				InstanceGuid: "some-instance-guid",
				Address:      "1.2.3.4",
				Ports: []receptor.PortMapping{
					{ContainerPort: 1111, HostPort: 3333},
				},
			}

			receptorClient.ActualLRPByProcessGuidAndIndexReturns(actualLRPResponse, nil)
			receptorClient.GetDesiredLRPReturns(desiredLRPResponse, nil)
		})

		JustBeforeEach(func() {
			authenticator = authenticators.NewCFAuthenticator(logger, ccClient, ccURL, receptorClient)
			permissions, err = authenticator.Authenticate(metadata, password)
		})

		Context("when a client has inavlid username or password", func() {
			Context("and the guid is malformed", func() {
				BeforeEach(func() {
					metadata.UserReturns("cf:%X%FF/1")
				})

				It("fails to authenticate", func() {
					Expect(err).To(Equal(authenticators.InvalidRequestErr))
					Expect(fakeCC.ReceivedRequests()).To(HaveLen(0))
				})
			})